Microsoft’s authentication method NTLM is a never-ending security nightmare. Announced years ago, it is still present in most Windows networks and is systematically misused by criminals, for example in ransomware attacks. And now Google’s Mandiant is making the situation even worse – at least seemingly. The company is releasing so-called rainbow tables that make reconstructing passwords from intercepted authentication attempts child’s play. But there is a comprehensible plan behind it.

NT LAN Manager (NTLM) is the oldest authentication method in Windows networks; its successor Kerberos has been the default since 2000. And for good reason: NTLM is an acute security risk. Especially when using Net-NTLMv1, attackers can reconstruct the password used, for example, through artificially forced login processes – so-called coercion. However, there are so many niches where NTLM is still required that Microsoft has not yet managed to completely remove the protocol. And because it is still present on many Windows systems, attackers can force a downgrade and steal passwords.

Calculated Coup de Grâce

Cracking the passwords is then done with rainbow tables. These contain pre-calculated intermediate values of the time-consuming cracking process, with the help of which the rest only takes a few minutes; the theory behind it is explained in the heise article “From Dictionaries and Rainbows.” Google is now making exactly these extensive tables available for free download so that anyone can use them with the also freely available cracking programs like John the Ripper on their laptop. This is precisely Google’s intention: “By releasing these tables, Mandiant aims to lower the barrier for security experts to demonstrate the insecurity of Net-NTLMv1,” they explain this drastic step.

The calculation could pay off because a cracked password in front of one’s own eyes might convince management that hardening the Windows network should finally be addressed concretely. Even more importantly, it increases the pressure on Microsoft to finally bring the decades-long phase-out of NTLM to an end. The additional risk, on the other hand, is manageable: Rainbow cracking as an online service already existed 20 years ago, and the required rainbow tables have also been circulating for ages. Anyone who really wanted them could find and use them; attacks by dedicated perpetrators do not fail due to a lack of rainbow tables.

Help for Admins

The problem is rather the protective measures during the transition period until Microsoft finally pulls the plug. Google simply states, “Organizations should immediately disable the use of Net-NTLMv1.” However, this is often not so trivial in the practical reality of existing Windows networks. There is a reason why Microsoft is delaying the end of NTLM for so long: in practice, this often leads to issues. Precisely for this reason, heise security already offered administrators extensive assistance in a dedicated webinar in 2024 on NTLM: Microsoft’s Original Sin and How Admins Can Deal With It Sensibly.

But now admins should definitely tackle this and harden Windows authentication to get this danger under control. This also includes taming Kerberos. Because it is also plagued by security issues, which manifest in attacks like Kerberoasting with Golden and Silver Tickets. These are so-called ticket-granting tickets that allow the attacker to issue authentication tokens to themselves. How exactly this works and what can be done about it is explained and demonstrated by Frank Ully in the heise security webinar “Securing Authentication in Active Directory: Surviving (and Thriving) with Microsoft’s Outdated Concepts” on February 26th. Of course, it will also cover NTLM and how to deal with it sensibly.

(ju)

Don’t miss any news – follow us on Facebook, LinkedIn or Mastodon.

This article was originally published in German. It was translated with technical assistance and editorially reviewed before publication.